R3 certificate expired

Let’s Encrypt intermediate cert expired today (DST Root CA X3 Expiration (September 2021) - Let's Encrypt). The Webmail and Webadmin pages now trigger alerts. I am not sure why Axigen still uses this old cert chain. I tried renewing the cert from the admin interface without any luck.

Hello,

The certificate is obtained from Let’s Encrypt (requested via WebAdmin > SSL Certs or via CLI) and it does not contain any additional chain certificates.

This could be checked by choosing Download Certificate File and checking that you have only the following lines:

BEGIN / END CERTIFICATE
BEGIN / END RSA PRIVATE KEY

Please check your WebMail / WebAdmin listeners (and related virtual hosts if you had some) for what it is configured in SSL > Certificate authorities file as there you could add / change any CA related certificates.

You may found the received chain certificate in the letsencrypt folder from the Axigen working folder (check the for cert_auth.pem file).

$ openssl x509 -in /var/opt/axigen/letsencrypt/webmail.test.org/cert_auth.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Validity
            Not Before: Sep  4 00:00:00 2020 GMT
            Not After : Sep 15 16:00:00 2025 GMT
        Subject: C = US, O = Let's Encrypt, CN = R3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                  ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier:
                14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
            X509v3 Authority Key Identifier:
                keyid:79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E

            Authority Information Access:
                CA Issuers - URI:http://x1.i.lencr.org/

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://x1.c.lencr.org/

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1

    Signature Algorithm: sha256WithRSAEncryption
         ...

HTH,
Ioan

Thanks for the hint. The value for Certificate authorities file was none. Setting to certs/cert_auth.pem solved the issue.

This should be considered a bug in Axigen. This is a known issue with Let’s Encrypt and the intermediate certificate expiring. Axigen should be including the intermediate cert in the domain cert as is typical - and this would not have been an issue. Or Axigen should point the certificate authorities file field to the letsencrypt/mail.domain.com/cert_auth.pem file, which would also resolve this situation.

By not doing either, Axigen has left their customers with SSL issues.

Hello Max,

We appreciate your feedback and we’ll take into consideration when reviewing the way the free Let’s Encrypt SSL certificate is integrated in Axigen.

Thx,
Ioan